The Lead Application Security Engineer is responsible for promoting, guiding, designing, and evaluating the effective use of application security controls in all phases of the application life cycle.
Essential Job Functions: Evaluate applications for appropriate and effective use of security controls using tools and techniques such as source code analysis, vulnerability scanners, and manual testing techniques. Serve as the practice lead for software security assessments by prioritizing assessment work, coordinating and delegating activities, reviewing work products to ensure quality and consistency, and providing thought leadership to the team. Prepare and deliver written and verbal communications in a professional and persuasive manner to internal and external technology and business stakeholders. This may include status briefings, security assessment reports and notifications, policies/standards/processes, etc.
Other Job Functions:
Participate in all aspects of security service development projects including the following project phases: business case development, requirements gathering, architecture development, product/service selection and procurement, functional & QA testing, detailed technical design, technology infrastructure implementation and deployment, migration from existing services, operational process and procedure documentation, operations staff training, and internal marketing of security services. Facilitate the identification of relevant application security threats (Threat Modeling) and the establishment of appropriate security control requirements and test plans. Ensure that software is architected, designed, and implemented to avoid security-related logic flaws and other adverse security consequences. Support and promote the use of application security systems and controls. Provide guidance to developers on the appropriate selection and implementation of relevant application security controls. Assist in the development of software as needed to support the application security infrastructure. Verify remediated application vulnerabilities though various means such as automated scanning or manual testing. Serve as subject matter expert on application and information security technologies and methodologies. Lead security projects and initiatives. Perform other duties and responsibilities as assigned.
Essential Education/Experience Requirements: •Bachelor of Science in Computer Science, or equivalent education or experience. Emphasis in application security a plus. •Operating Systems such as UNIX, Linux, and Windows Server. •Experience leading and cultivating high-performance teams. •Experience with security risk analysis, gauging appropriate levels of likelihood and/or impact that a vulnerability presents within the context of the organization. •Strong written and verbal communication skills. Specific relevant experience may include technical reports (especially application security assessment reports), technical whitepapers, presentation development and delivery (for both technical and business audiences), technical training, etc. Candidate should have experience making and defending sound technical arguments that incorporate relevant technical and business considerations, and building consensus among stakeholders.
5+ years of experience that includes web application development, application security assessment, and team leadership. The successful candidate will have direct professional experience working with a substantial segment of the following tools, technologies, and processes to promote, monitor, analyze, and validate IT system security: ◦Successful execution of a software vulnerability monitoring and management program, to include identification, risk evaluation/triage, consensus building where needed, reporting and communication, and remediation verification. ◦Web application vulnerabilities assessment tools such as AppScan, WebInspect. ◦Code security assessment tools such as Fortify. ◦Manual software security testing techniques. ◦Development languages/environments such as C#/ASP/.NET, Java/J2EE/Spring, Object Oriented (OO) n-tier application development environment, including familiarity with their native security services and common deficiencies,
Other Desirable Experience: •Software engineering and development with emphasis on the following:◦Delivery of secure, Internet-exposed, multi-tier, web-based systems. ◦Hands-on experience throughout the SDLC, including requirements gathering and test planning, software architecture, secure coding, and QC testing.
•Professional, hands-on coding experience in Java/J2EE/Spring or C#/ASP/.NET. Experience with both a plus. •Providing software architecture security guidance, including developing application threat models and methodically protecting against business logic and design flaws that could introduce security vulnerabilities. •Security-related experience with the following:◦Design patterns and coding standards for secure software. ◦Secure configuration and operation of Application Servers, Web Servers, Directory Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers. ◦Application authentication & authorization systems such as RSA ClearTrust. ◦Experience implementing and operating web application firewalls such as Imperva SecureSphere. ◦Implementing, maintaining, and supporting data encryption and sanitization using Voltage SecureData. ◦Knowledge of cryptographic tool kits for application development such as RSA BSAFE. ◦Platform vulnerability and configuration compliance monitoring using tools such as Qualys and Symantec CCS. ◦Knowledge of and experience with built-in and add-on security capabilities of common application infrastructure components such as MS SQLServer, Oracle, MS IIS, iPlanet Directory, MS Active Directory, MQSeries, MSMQ, MS Exchange. ◦Knowledge of general application security API’s and protocols such as: MS CryptoAPI, Kerberos, SSL/TLS, SAML, S/MIME, and PKCS API’s. ◦In depth hands-on experience in complex enterprise architectures lock downs.
•Financial services industry (Insurance, Banking, Investments) experience a plus.